[OWASP_PHPSEC] OWASP Documentation

Abhishek Das das.abhshk at gmail.com
Sun Jul 28 07:12:53 UTC 2013


Hi all,

I'm aware of the issues. I haven't written any test cases after the latest
changes in the http request handling library, and hence the issues. I
apologize for that. I see a pull request from Sven on this as well. We can
carry forward the ongoing discussion there and merge it asap. I'll first
complete the documentation on the OWASP wiki, then add more robust test
cases for the library and send in a pull request.

Thanks


On Sun, Jul 28, 2013 at 11:25 AM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> These test cases belong to Abhishek. I will contact him and let him know
> of this issue.
>
>
> On Sat, Jul 27, 2013 at 11:01 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Sven,
>> Please create a folder in the repo, containing environments for IDEs, and
>> push yours in one of them. I don't want people to go through hell just to
>> be able to have this package in one environment.
>> -Abbas
>>      ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On Mordad 5, 1392, at 1:28 PM, Sven Rautenberg <sven at rtbg.de> wrote:
>>
>> I'm in the process of setting up my environment to actually execute
>> anything. All my previous findings were made by looking at the code and
>> maybe run a small part manually.
>>
>> When I see that my IDE highlights the following in a testcase:
>>
>> $hr = HttpRequest::getParameter('HTTP_REFERER');
>>
>> And the complaint is that "getParameter" does not exist as a method in
>> HttpRequest, then I'm pretty sure the test suite hasn't been run for a
>> while, because this test can never be green.
>>
>> I do apprechiate that there are some tests at least. Some of them are
>> way more complicated than they need to be (like the test for
>> confidentialString, that does not check for the decrypted result, but
>> tries to query a database instead with the values), some are more or
>> less created in an uncommon way (for example, do no try/catch in a test,
>> PHPUnit will complain if an exception is thrown but wasn't expected),
>> and some aspects are currently really hard to test. Just think of the
>> HttpRequest class that detects the used SAPI - which is always CLI if
>> you run the tests from the command line - it would be necessary to run
>> the tests via Apache to find the bugs and have complete coverage, or (my
>> favorite) it needs more abstraction to allow faking the stuff.
>>
>> These testing issues need some experience to understand and avoid. And
>> it is true that during the time of exploration and experimentation
>> having too many tests will at least be nasty. But having none is also
>> not very good, because you will not notice if you break something
>> important.
>>
>> I'll be around some more time to give my feedback.
>>
>> Regards,
>> Sven
>>
>> Am 27.07.2013 10:27, schrieb rahul chaudhary:
>>
>> HI,,,can you tell which tests are not working, because I am constantly
>> checking test cases to work and they are working fine in my system...
>>
>> For some test cases, you need to have the DB installed.
>>
>> and yes, some of the test cases are not up to the standard. But as said,
>> for now they just demonstrate the working....in dew time they will be
>> updated using useful feedback from people like you. :)
>>
>>
>> On Fri, Jul 26, 2013 at 3:27 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>> Hi Sven,
>> Since we're changing things a lot (change not as in refactoring, as in
>> changing the whole ideas), its not wise to go TDD. We're leaving test
>> coverage for the final phase in summer.
>> You should be aware that some developers in the team are working under
>> GSoC.
>> -Abbas
>> ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display a
>> file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<
>> http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On Mordad 4, 1392, at 11:47 PM, Sven Rautenberg <sven at rtbg.de> wrote:
>>
>> Hi all,
>>
>> I'll take that opportunity and mention my sadness about the tests that
>> are not really written, nor working.
>>
>> A test is the first opportunity to run the productive code. If it feels
>> weird or cumbersome to write the test, then probably the code under test
>> is not yet designed well.
>>
>> And the tests are always a working code example: They use the actual
>> code (if the using code gets outdated, tests go red and get fixed, so
>> examples are automatically updated), and they show both input parameters
>> and expected and unexpected return values.
>>
>> I'd really suggest to write tests first.
>>
>> Regards,
>>
>> Sven
>>
>>
>> Am 26.07.2013 21:01, schrieb Johanna Curiel:
>>
>> Hi Rauf
>>
>> I took a fast overview of your documentation which looks great, so keep
>> the good work. something I recommend strongly is the use of code examples.
>> Creating code snippets where you can explain how to use the library it's a
>> great way to help users understand how they should implement the library
>>
>> regards
>>
>> Johanna
>>
>>
>>
>>
>> On Jul 26, 2013, at 2:42 AM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> Hello All and specially Johanna :P,
>>
>> I have finished my part of OWASP's documentation. You can look it here.
>>
>> https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project/Roadmap
>>
>> Left are belongs to Abhishek. As more libraries will be added, I will add
>> more documents there.
>>
>> I know that this document is not perfect and not at all final. So Johanna
>> and others, please read that and suggest what more to add. I have not
>> added
>> technical details because that would be generated though PHPDocs and will
>> be kept in github docs or some other place. OWASPs wiki is just for
>> overview and reference.
>>
>> SO please let me know what more to put there.
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Abhishek Das
IIT Roorkee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130728/7d5e07b4/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list